Merge branch 'version-1' into develop

2025-06-17 03:40:14 +02:00 · 2022-07-12 11:06:19 +02:00
parent 28fcb2159c 65c30708b8
commit 411edbf0e7
17 changed files with 1074 additions and 298 deletions
--- a/lib/add_bc_user.sh
+++ b/lib/add_bc_user.sh
@ -0,0 +1,10 @@
+#!/bin/bash -e
+source lib/functions.sh
+
+log "INFO" "This script add's a user with password to the bridghead"
+
+read -p 'Username: ' bc_user
+read -sp 'Password: ' bc_password
+
+log "INFO" "\nPlease export the line in the your environment. Please replace the dollar signs with with \\\$"
+docker run --rm -it httpd:latest htpasswd -nb $bc_user $bc_password
--- a/lib/functions.sh
+++ b/lib/functions.sh
@ -2,11 +2,115 @@

 exitIfNotRoot() {
  if [ "$EUID" -ne 0 ]; then
+<<<<<<< HEAD
    echo "Please run as root"
+=======
+    log "ERROR" "Please run as root"
+>>>>>>> version-1
    exit 1
  fi
 }

+<<<<<<< HEAD
 log() {
  echo "$(date +'%Y-%m-%d %T')" "$1:" "$2"
 }
+=======
+checkOwner(){
+  COUNT=$(find $1 ! -user $2 |wc -l)
+  if [ $COUNT -gt 0 ]; then
+    log ERROR "$COUNT files in $1 are not owned by user $2. Run find $1 ! -user $2 to see them, chown -R $2 $1 to correct this issue."
+    return 1
+  fi
+  return 0
+}
+
+log() {
+  echo -e "$(date +'%Y-%m-%d %T')" "$1:" "$2"
+}
+
+printUsage() {
+	echo "Usage: bridgehead start|stop|update|install|uninstall PROJECTNAME"
+	echo "PROJECTNAME should be one of ccp|nngm|gbn"
+}
+
+checkRequirements() {
+	if ! lib/prerequisites.sh; then
+		log "ERROR" "Validating Prerequisites failed, please fix the error(s) above this line."
+		exit 1
+	else
+		return 0
+	fi
+}
+
+fetchVarsFromVault() {
+	[ -e /etc/bridgehead/vault.conf ] && source /etc/bridgehead/vault.conf
+
+	if [ -z "$BW_MASTERPASS" ] || [ -z "$BW_CLIENTID" ] || [ -z "$BW_CLIENTSECRET" ]; then
+		log "ERROR" "Please supply correct credentials in /etc/bridgehead/vault.conf."
+		return 1
+	fi
+
+	set +e
+
+	PASS=$(BW_MASTERPASS="$BW_MASTERPASS" BW_CLIENTID="$BW_CLIENTID" BW_CLIENTSECRET="$BW_CLIENTSECRET" docker run --rm -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET -e http_proxy samply/bridgehead-vaultfetcher $@)
+	RET=$?
+
+	if [ $RET -ne 0 ]; then
+		echo "Code: $RET"
+		echo $PASS
+		return $RET
+	fi
+
+	eval $(echo -e "$PASS" | sed 's/\r//g')
+
+	set -e
+
+	return 0
+}
+
+fetchVarsFromVaultByFile() {
+	VARS_TO_FETCH=""
+
+	for line in $(cat $@); do
+		if [[ $line =~ .*=[\"]*\<VAULT\>[\"]*.* ]]; then
+			VARS_TO_FETCH+="$(echo -n $line | sed 's/=.*//') "
+		fi
+	done
+
+	if [ -z "$VARS_TO_FETCH" ]; then
+		return 0
+	fi
+
+	log INFO "Fetching $(echo $VARS_TO_FETCH | wc -w) secrets from Vault ..."
+
+	fetchVarsFromVault $VARS_TO_FETCH
+
+	return 0
+}
+
+assertVarsNotEmpty() {
+	MISSING_VARS=""
+
+	for VAR in $@; do
+	if [ -z "${!VAR}" ]; then
+			MISSING_VARS+="$VAR "
+		fi
+	done
+
+	if [ -n "$MISSING_VARS" ]; then
+		log "ERROR" "Mandatory variables not defined: $MISSING_VARS"
+		return 1
+	fi
+
+	return 0
+}
+
+##Setting Network properties
+export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
+export HOST=$(hostname)
+export PRODUCTION="false";
+if [ "$(git branch --show-current)" == "main" ]; then
+	export PRODUCTION="true";
+fi
+>>>>>>> version-1
--- a/lib/gitpassword.sh
+++ b/lib/gitpassword.sh
@ -0,0 +1,42 @@
+#!/bin/bash
+
+if [ "$1" != "get" ]; then
+	echo "Usage: $0 get"
+	exit 1
+fi
+
+baseDir() {
+	# see https://stackoverflow.com/questions/59895
+	SOURCE=${BASH_SOURCE[0]}
+	while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
+		DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
+		SOURCE=$(readlink "$SOURCE")
+		[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
+        done
+        DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd )
+        echo $DIR
+}
+
+BASE=$(baseDir)
+cd $BASE
+
+source lib/functions.sh
+
+assertVarsNotEmpty SITE_ID || exit 1
+
+PARAMS="$(cat)"
+GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
+
+fetchVarsFromVault GIT_PASSWORD
+
+if [ -z "${GIT_PASSWORD}" ]; then
+	log ERROR "Git password not found."
+	exit 1
+fi
+
+cat <<EOF
+protocol=https
+host=$GITHOST
+username=bk-${SITE_ID}
+password=${GIT_PASSWORD}
+EOF
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@ -1,9 +1,24 @@
 #!/bin/bash

+<<<<<<< HEAD

 ## Check if user is a su
 echo "Welcome to the starting a bridgehead. We will get your instance up and running in no time"
 echo "First we will check if all prerequisites are met ..."
+=======
+source lib/functions.sh
+
+if ! id "bridgehead" &>/dev/null; then
+  log ERROR "User bridgehead does not exist. Please consult readme for installation."
+  exit 1
+fi
+
+checkOwner . bridgehead || exit 1
+checkOwner /etc/bridgehead bridgehead || exit 1
+
+## Check if user is a su
+log INFO "Checking if all prerequisites are met ..."
+>>>>>>> version-1
 prerequisites="git docker docker-compose"
 for prerequisite in $prerequisites; do
  $prerequisite --version 2>&1
@ -15,6 +30,7 @@ for prerequisite in $prerequisites; do
  # TODO: Check for specific version
 done

+<<<<<<< HEAD
 echo "Checking site.conf"

 #check if site.conf is created
@ -52,3 +68,44 @@ if [ -d "site-config/${project}.env" ]; then
 fi

 echo "All prerequisites are met!"
+=======
+log INFO "Checking configuration ..."
+
+## Download submodule
+if [ ! -d "/etc/bridgehead/" ]; then
+  log ERROR "Please set up the config folder at /etc/bridgehead. Instruction are in the readme."
+  exit 1
+fi
+
+# TODO: Check all required variables here in a generic loop
+
+#check if project env is present
+if [ -d "/etc/bridgehead/${PROJECT}.conf" ]; then
+   log ERROR "Project config not found. Please copy the template from ${PROJECT} and put it under /etc/bridgehead-config/${PROJECT}.conf."
+   exit 1
+fi
+
+# TODO: Make sure you're in the right directory, or, even better, be independent from the working directory.
+
+log INFO "Checking ssl cert"
+
+if [ ! -d "certs" ]; then
+  log WARN "TLS cert missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...)"
+  mkdir -p certs
+fi
+
+if [ ! -e "certs/traefik.crt" ]; then
+  openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/traefik.key -out certs/traefik.crt -days 3650 -subj "/CN=$HOST"
+fi
+
+if [ -e /etc/bridgehead/vault.conf ]; then
+	if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
+		log ERROR "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
+		exit 1
+	fi
+fi
+
+log INFO "Success - all prerequisites are met!"
+
+exit 0
+>>>>>>> version-1
--- a/lib/remove-bridgehead-units.sh
+++ b/lib/remove-bridgehead-units.sh
@ -0,0 +1,25 @@
+#!/bin/bash -e
+
+source lib/functions.sh
+
+if [ $# -eq 0 ]; then
+    log "ERROR" "Please provide a Project as argument"
+    exit 1
+fi
+
+if [ $1 != "ccp" ] && [ $1 != "nngm" ] && [ $1 != "gbn" ]; then
+    log "ERROR" "Please provide a supported project like ccp, gbn or nngm"
+    exit 1
+fi
+
+export PROJECT=$1
+
+#checkRequirements // not needed when uninstalling
+
+log "INFO" "Stopping system units and removing bridgehead for ${PROJECT} ..."
+
+systemctl disable --now bridgehead@${PROJECT}.service bridgehead-update@${PROJECT}.timer bridgehead-update@${PROJECT}.service
+
+rm -v /etc/systemd/system/{bridgehead\@.service,bridgehead-update\@.timer,bridgehead-update\@.service}
+
+log "INFO" "Successfully removed bridgehead for ${PROJECT} from your system"
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@ -0,0 +1,37 @@
+#!/bin/bash
+
+source lib/functions.sh
+
+exitIfNotRoot
+
+if [ $# -eq 0 ]; then
+    log "ERROR" "Please provide a Project as argument"
+    exit 1
+fi
+
+if [ $1 != "ccp" ] && [ $1 != "nngm" ] && [ $1 != "gbn" ]; then
+    log "ERROR" "Please provide a supported project like ccp, gbn or nngm"
+    exit 1
+fi
+
+export PROJECT=$1
+
+checkRequirements
+
+log "INFO" "Register system units for bridgehead and bridgehead-update"
+cp -v \
+    lib/systemd/bridgehead\@.service \
+    lib/systemd/bridgehead-update\@.service \
+    lib/systemd/bridgehead-update\@.timer \
+    /etc/systemd/system/
+
+systemctl daemon-reload
+
+if ! systemctl is-active --quiet bridgehead@"${PROJECT}"; then
+    log "INFO" "Enabling autostart of bridgehead@${PROJECT}.service"
+    systemctl enable bridgehead@"${PROJECT}"
+    log "INFO" "Enabling nightly updates for bridgehead@${PROJECT}.service ..."
+    systemctl enable --now bridgehead-update@"${PROJECT}".timer
+fi
+
+log "INFO" "\nDone - now start your bridgehead by running\n\tsystemctl start bridgehead@${PROJECT}.service\nor by rebooting your machine."
--- a/lib/systemd/bridgehead-update@.service
+++ b/lib/systemd/bridgehead-update@.service
@ -1,3 +1,4 @@
+<<<<<<< HEAD
 [Unit]
 Description=Bridgehead (%i) Update Service

@ -8,3 +9,15 @@ ExecStart=/bin/bash -c "/srv/docker/bridgehead/update-bridgehead.sh %i"

 [Install]
 WantedBy=multi-user.target
+=======
+[Unit]
+Description=Bridgehead (%i) Update Service
+
+[Service]
+Type=oneshot
+User=bridgehead
+ExecStart=/srv/docker/bridgehead/bridgehead update %i
+
+[Install]
+WantedBy=multi-user.target
+>>>>>>> version-1
--- a/lib/systemd/bridgehead-update@.timer
+++ b/lib/systemd/bridgehead-update@.timer
@ -1,3 +1,4 @@
+<<<<<<< HEAD
 [Unit]
 Description=Nightly Updates of Bridgehead (%i)

@ -6,3 +7,13 @@ OnCalendar=*-*-* 03:00:00

 [Install]
 WantedBy=basic.target
+=======
+[Unit]
+Description=Nightly Updates of Bridgehead (%i)
+
+[Timer]
+OnCalendar=*-*-* 03:00:00
+
+[Install]
+WantedBy=basic.target
+>>>>>>> version-1
--- a/lib/systemd/bridgehead@.service
+++ b/lib/systemd/bridgehead@.service
@ -1,3 +1,4 @@
+<<<<<<< HEAD
 [Unit]
 Description=Bridgehead (%i) Service

@ -13,3 +14,17 @@ ExecStop=/bin/bash -c '`which docker-compose` -f %i/docker-compose.yml --env-fil

 [Install]
 WantedBy=multi-user.target
+=======
+[Unit]
+Description=Bridgehead (%i) Service
+
+[Service]
+User=bridgehead
+Restart=always
+RestartSec=30
+ExecStart=/srv/docker/bridgehead/bridgehead start %i
+ExecStop=/srv/docker/bridgehead/bridgehead stop %i
+
+[Install]
+WantedBy=multi-user.target
+>>>>>>> version-1
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@ -0,0 +1,73 @@
+#!/bin/bash
+source lib/functions.sh
+
+CONFFILE=/etc/bridgehead/$1.conf
+
+if [ ! -e $CONFFILE ]; then
+  log ERROR "Configuration file $CONFFILE not found."
+  exit 1
+fi
+
+source $CONFFILE
+
+assertVarsNotEmpty SITE_ID || exit 1
+export SITE_ID
+
+checkOwner . bridgehead || exit 1
+checkOwner /etc/bridgehead bridgehead || exit 1
+
+CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
+
+# Check git updates
+for DIR in /etc/bridgehead $(pwd); do
+  log "INFO" "Checking for updates to git repo $DIR ..."
+  if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
+    log "INFO" "Configuring repo to use bridgehead git credential helper."
+    git -C $DIR config credential.helper "$CREDHELPER"
+  fi
+  old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
+  git -C $DIR fetch 2>&1
+  git -C $DIR pull 2>&1
+  new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
+  git_updated="false"
+  if [ "$old_git_hash" != "$new_git_hash" ]; then
+    log "INFO" "Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"
+    # NOTE: Link generation doesn't work on repositories placed at an self-hosted instance of bitbucket.
+    # See: https://community.atlassian.com/t5/Bitbucket-questions/BitBucket-4-14-diff-between-any-two-commits/qaq-p/632974
+    git_repository_url="$(git -C $DIR remote get-url origin)"
+    git_repository_url=${git_repository_url/.git/}
+    if [ "$( echo $git_repository_url | grep "github.com")" ]; then
+      # Ensure web link even if ssh is used
+      git_repository_url="${git_repository_url/git@github.com/https:\/\/github.com\/}"
+      log "INFO" "You can review all changes on the repository with $git_repository_url/compare/$old_git_hash...$new_git_hash"
+    elif [ "$( echo $git_repository_url | grep "git.verbis.dkfz.de")" ]; then
+      git_repository_url="${git_repository_url/ssh:\/\/git@git.verbis.dkfz.de/https:\/\/git.verbis.dkfz.de\/}"
+      git_repository_url="https://$(echo $git_repository_url | awk -F '@' '{print $2}')"
+      log "INFO" "You can review all changes on the repository with $git_repository_url/compare?from=$old_git_hash&to=$new_git_hash"
+    fi
+    git_updated="true"
+  fi
+done
+
+# Check docker updates
+log "INFO" "Checking for updates to running docker images ..."
+docker_updated="false"
+for IMAGE in $(docker ps --filter "name=bridgehead" --format {{.Image}}); do
+  log "INFO" "Checking for Updates of Image: $IMAGE"
+  if docker pull $IMAGE | grep "Downloaded newer image"; then
+    log "INFO" "$IMAGE updated."
+    docker_updated="true"
+  fi
+done
+
+# If anything is updated, restart service
+if [ $git_updated = "true" ] || [ $docker_updated = "true" ]; then
+  log "INFO" "Update detected, now restarting bridgehead"
+  systemctl restart 'bridgehead@*'
+else
+  log "INFO" "Nothing updated, nothing to restart."
+fi
+
+exit 0
+
+# TODO: Print last commit explicit